Mobile point of sale systems: Hackers only need 5 minutes to get your PIN
It’s pretty common: A nice meal in a small pop-up restaurant, a great time with friends, and in the end the check. You normally pay via cash, but you don’t have enough on you. But that’s no problem; the establishment lets you pay via card after all. You pay the bill and go home. A couple of days later, while checking out our banking account you notice that the amount of money deducted is higher than it should have been. Not by much, but still … While this is something that could be cleared up, it takes up time. If the amount is not too high, you might not bother.
According to security researchers this is something that could happen, at least when the establishment where you were shopping or eating features one of the nice payment terminals that are connected to a smartphone or tablet.
Cheap mobile point of sale systems, cheap security
They are small, they are inexpensive, and that’s what makes them perfect for new and small businesses and restaurants, food trucks, market stalls, and pop-ups: cheap mobile point of sale systems. Sadly it seems like they are also riddled with vulnerabilities that could allow hackers to steal credit card information and/or change the amount of what you’re paying.
Researchers from Positive Technologies have looked at seven readers that cost less than 50$ – some of which are even from well-known companies like Paypal and Square. The results are not very promising. Five devices sport security vulnerabilities that would allow cybercriminals to trick customers into overpaying while two devices could be used to read out the PINs in plaintext.
For the first vulnerability hackers or fraudulent merchant would need to exploit Bluetooth and an insecure form of pairing that the readers use. After the task is accomplished the cybercriminal can tamper with the values: The final bill will now be higher than the amount on the reader that the customer gets to see.
The second vulnerability which would allow hackers to steal PIN numbers, was only present in devices manufactured Miura. Both PayPal and Square apparently were using them – at least until now. The attack is a bit more complicated since it includes an older firmware version that criminals might have to install first. Nonetheless such an attack (including downgrading the firmware if necessary and starting to exploit the devices) would only take a couple of minutes.
Issues are addressed but old devices are still out there
While all of the companies are working on fixing the issues and a making sure, that the vulnerabilities will be gone in the future, old devices that are still out there will stay insecure. No one can say how long they will stay in service and how many of them will be abused.
This article is also available in: German